Bluetooth Security, Vulnerabilities, and Threats

Bluetooth offers several benefits and advantages, but the benefits of Bluetooth are not provided without risk. Bluetooth technology and enabled devices are susceptible to the general wireless threats outlined in Section 3, but are also threatened by more specific Bluetooth related attacks. These, more specific Bluetooth based vulnerabilities are outlined below.

 Bluesnarfing - Bluesnarfing enables attackers to gain access to a Bluetooth enabled device. This attack forces a connection to a Bluetooth device, allowing access to data stored on the device and even the device’s international mobile equipment identity (IMEI). The IMEI is a unique identifier for each device that an attacker could potentially use to route all incoming calls from the user’s device to the attacker’s device. This type of attack requires specific software and exploits a firmware flaw in older devices.

 Bluejacking - Bluejacking is an attack commonly conducted on Bluetooth-enabled mobile devices, such as cell phones, smart phones, and PDAs. A Bluejacking attack is initiated by an attacker sending unsolicited messages to a user of a Bluetooth-enabled device. The actual messages do not cause harm to the user’s device, but they are used to entice the user to respond in some fashion or add the new contact to the device’s address book. This sort of message sending attack resembles spam and

phishing attacks conducted on email users. Bluejacking can cause harm when a user initiates a response to a Bluejacking message that is sent with a harmful purpose.

 Bluebugging - Bluebugging exploits a security flaw in Bluetooth enabled device firmware to gain access to the device and its commands. This attack uses the commands of the device without

informing the user, allowing the attacker access to data, place phone calls, eavesdrop on phone calls, send messages, and exploit other services or features offered by the device. The firmware flaw exploited by Bluebugging is generally found in older devices and can potentially be mitigated with firmware upgrades.

 Car Whisperer - Car whisperer is a software tool developed by European security researchers that exploits a key implementation issue in hands-free Bluetooth car-kits installed in automobiles. The car whisperer software allows an attacker to send to or receive audio from the car-kit. An attacker could transmit audio to the car’s speakers or receive audio (eavesdrop) from the microphone in the car.  Denial of Service – Like other networking technologies, Bluetooth is susceptible to DoS attacks.

However, these types of attacks differ in regards to Bluetooth as they are not only directed at making a device’s Bluetooth interface unusable, but also can be used to drain the mobile device’s battery. These types of attacks are not significant and due to the proximity required for Bluetooth use can easily be averted by simply walking away, along with other mitigation techniques.

 Fuzzing Attacks – Commercial Bluetooth fuzzers are available that can cause problems from degradation of service to device reset. Bluetooth fuzzing attacks consist of sending malformed or otherwise non-standard data to a device’s Bluetooth radio and observing how the device reacts. When a device’s response is slowed or otherwise stopped by these attacks, this is an indication that a potential serious vulnerability exists in the protocol stack. It is important the vendors test the robustness of their Bluetooth stack implementation before making their products available. 5.6 Risk Mitigation and Countermeasures

Although Bluetooth is susceptible to a number of general wireless threats and specific Bluetooth threats, countermeasures can be taken to mitigate known risks. This section outlines Bluetooth countermeasures that are in addition to the authentication, authorization, and confidentiality security mechanisms described in Section 5.3 regarding Bluetooth security. These additional countermeasures include various operational methods and additional software and hardware that go beyond the security structure of the Bluetooth standard. General mitigation techniques for wireless devices can be found in Section 3; specific Bluetooth countermeasures are included in this section.

The first line of defense is to provide an adequate level of knowledge and understanding for those who will deal with Bluetooth-enabled devices. Organizations using Bluetooth technology need to establish and document security policies that address the use of Bluetooth-enabled devices and users’ responsibilities. Organizations should include awareness-based education to support staff understanding and knowledge of Bluetooth. Policy documents should include a list of approved uses for Bluetooth, the type of information that may be transferred over established Bluetooth networks, and any disciplinary actions that may result from misuse. The security policy should also specify a proper password usage scheme. General guidelines for developing security policies can be obtained from NIST Special Publication 800-100, Information

Security Handbook: A Guide for Managers.37

The general obscurity and mobility of Bluetooth enabled devices increases the difficulty of employing traditional security measures. However, a number of countermeasures can be enacted to secure Bluetooth

37 _{NIST SP 800-100, Information Security Handbook: A Guide for Managers is available at}

5-16

devices, ranging from distance and power output to general operation practices. Outlined below are several countermeasures that can be employed to secure Bluetooth devices and communications. Authentication. Bluetooth devices can store and automatically access link keys, outlined in Section 5.3, from memory and automatically pair with certain devices. Incorporating application-level software that requires password authentication to secure the device will add an extra layer of security. Again,

passwords are fundamental measures, adding an extra layer of security. Additional authentication mechanisms, such as biometrics and smart cards, can be used to provide strong authentication to Bluetooth devices. More details on authentication mechanisms are included in Section 4.5.3.4.

Encryption. Higher layer encryption (especially FIPS 140-2 validated) will also add an additional layer of security. Bluetooth PIN cracking tools are readily available that make current native encryption mechanisms breakable. Employing stronger encryption techniques over the native encryption (e.g., at the RFCOMM layer) will further protect the data in transit.

Disable Bluetooth. Bluetooth capabilities should be disabled on all Bluetooth devices, except when the user explicitly enables Bluetooth to establish a trusted connection. As a secondary procedure, operational Bluetooth interfaces should be configured in non-discoverable mode, which prevents visibility to other Bluetooth devices.

PIN Length. The PIN on Bluetooth devices should be changed to at least an eight character alphanumeric PIN code, if possible. This will increase the security of the pairing function and increase the PIN

identification difficulty. According to the Bluetooth specification, the Bluetooth PIN is not a value that comes with a device, except for some devices that do not support a user interface and are configured by the vendor with fixed PINs—PINs that are provided by the device manufacturer that cannot be changed. In this case, although weak, the use of a fixed PIN is acceptable for devices that do not have a user interface.

Pairing Security. Bluetooth devices should be paired in a private physical setting to minimize the risk of eavesdropping or other potential attacks. Users should never respond to any messages requesting a PIN, unless the user has initiated a pairing and is certain the PIN request is being sent by one of the user’s devices.

Pairing Management. In the event a Bluetooth capable device is lost or stolen, users should immediately unpair the missing device from all other Bluetooth devices with which it was previously paired. This will prevent an attacker from using the lost or stolen device to access another trusted Bluetooth device owned by the user.

Non-Discoverable Mode. The default self-identifying or discoverable names provided on Bluetooth devices should be changed to anonymous unidentifiable names. Again, disabling the Bluetooth interface when not in use and operating the Bluetooth device only in non-discoverable mode will increase the operational security of Bluetooth devices. It is important that devices remain in a non-discoverable and non-connectable state except as needed to make trusted connections.

Spatial Distance. Establishing spatial distance requires setting the power requirements low enough to prevent a device from having sufficient power to be detected from outside a physical area (e.g., outside the office building). This spatial distance in effect creates a more secure perimeter. Currently, Bluetooth devices have a useful range of approximately three feet (with a class 3 device). Organizations with requirements for high levels of security may restrict unauthorized personnel from using PDAs, laptops, and other electronic devices within the secure perimeter for added security.

Transmission Control. Users should not accept transmission of any sorts from unknown or suspicious devices. These types of transmissions include messages, files, and images. With the increase in the

number of Bluetooth enabled devices, it is important that users only establish connections with other trusted devices and only accept transmission from these trusted devices.

Additionally, Bluetooth-enabled devices, as with all other wireless devices, should follow the security guidelines described in Sections 4.5.3.2 and 4.5.3.3, which includes outlining the use of personal firewalls, software patches, antivirus protection, policy enforcement, and data-at-rest security. 5.7 Bluetooth Security Checklist

Table 5-4 provides a Bluetooth security checklist. The table presents guidelines and recommendations for creating and maintaining a secure Bluetooth wireless network. For each recommendation or guideline, a justification column lists areas of concern for Bluetooth devices, the security threats and vulnerabilities associated with those areas, risk mitigations for securing the devices from these threats, and

vulnerabilities. Additionally, with each recommendation and justification, a checklist with three columns is provided. The first column, the “Recommended Practice” column, if checked, means that this entry represents something recommended for all organizations. The second column, the “Should Consider” column, if checked, means that the entry’s recommendation is something that an organization should carefully consider for three reasons. First, implementing the recommendation may provide a higher level of security for the wireless environment by offering some additional protection. Second, the

recommendation supports a defense-in-depth strategy. Third, it may have significant performance, operational, or cost impacts. In summary, if the “Should Consider” column is checked, organizations should carefully consider the option and weigh the costs versus the benefits. The last column, “Status”, is intentionally left blank to allow organization representatives to use this table as a true checklist. For instance, an individual performing a wireless security audit in a Bluetooth environment can quickly check off each recommendation for the organization, asking, “Have I done this?”

Table 5-4. Bluetooth Security Checklist

Checklist Security Recommendation Security Need, Requirement or

Justification _mended Recom- Practice

Should

Consider Status

Management Recommendations

1

Develop an organization security policy that addresses the use of wireless technology including Bluetooth technology.

A security policy is the foundation on which other countermeasures (operational and technical) are rationalized and implemented. A documented security policy allows an organization to define acceptable implementations and uses for Bluetooth technology.

2

Ensure that users on the network are fully trained in computer security awareness and the risks associated with wireless

technology (i.e., Bluetooth).

A security awareness program helps users to establish good security practices in the interest of

preventing inadvertent or malicious intrusions into an organization’s automated information system.

3

Perform a risk assessment to understand the value of the assets in the organization that need protection.

Understanding the value of organizational assets and the level of protection required enables the engineering of a wireless solution that provides an appropriate level of security.

5-18

Checklist Security Recommendation Security Need, Requirement or

Justification _mended Recom- Practice

Should

Consider Status

4

Perform comprehensive security assessments at regular intervals to fully understand the wireless network security posture.

Wireless products should support upgrade and patching of firmware to be able to take advantage of wireless security enhancements and fixes.

5

Ensure that the wireless “network” is fully understood. With piconets forming scatter- nets with possible connections to IEEE 802.11 networks and connections to both wired and wireless wide area networks. An organization must understand the overall connectivity. Note: a device may contain various wireless technologies and interfaces.

A thorough understanding of the functionalities and configurations of the deployed wireless network technologies allows an organization to identify possible risks and vulnerabilities. These risks and vulnerabilities can then be addressed in the wireless security policy and enforced appropriately.

6

Ensure external boundary protection is in place around the perimeter of the building or buildings of the organization.

To prevent malicious physical access to an organization’s information system infrastructure, the external boundaries should be secured through means such as a fence or locked doors.

7

Deploy physical access controls to the building and other secure areas (e.g., photo ID, card badge readers).

Identification badges or physical access cards should be deployed to ensure that only authorized

personnel have physical access to a facility.

8

Ensure that handheld or small Bluetooth devices are protected from theft.

The organization and its employees should be responsible for its wireless technology components because theft of those components could lead to malicious activities against the organization’s information system resource. 9

Ensure that Bluetooth devices are turned off during all hours when they are not used.

Shutting down Bluetooth devices when not in use minimizes exposure to potential malicious activities.

10

Take a complete inventory of all Bluetooth-enabled wireless devices.

A complete inventory list of Bluetooth-enabled wireless devices can be referenced when conducting an audit that searches for

unauthorized use of wireless technologies.

11

Study and understand all planned Bluetooth-enabled devices to understand any security idiosyncrasies or inadequacies.

An understanding of the security implications of Bluetooth will help the organization better address the associated risks.

Checklist Security Recommendation Security Need, Requirement or

Justification _mended Recom- Practice

Should

Consider Status

Technical Recommendations

12

Change the default settings of the Bluetooth device to reflect the organization’s security policy.

Because default settings are generally not secure, a careful review of those settings should be performed to ensure that they comply with the company security policy.

13

Set Bluetooth devices to the lowest necessary and sufficient power level so that transmissions remain within the secure

perimeter of the organization.

Setting Bluetooth devices to the lowest necessary and sufficient power level ensures a secure range of access to authorized users.

14

Ensure that the Bluetooth “pairing” environment is secure from eavesdroppers (i.e., the environment has been visually inspected for possible

adversaries before the initialization procedures during which key establishment occur).

The key establishment is a vital security function and requires that users maintain a security awareness of possible eavesdroppers.

15

Choose PIN codes that are sufficiently random and avoid all weak PINs.

PIN codes should be random so that they would not be easily guessed by malicious users.

16 Choose PIN codes that are sufficiently long.

PIN codes with maximum lengths of 16 bytes make them more resistant to brute force attacks.

17 Ensure that no Bluetooth device is defaulting to the zero PIN.

Bluetooth devices defaulting to the zero PIN (e.g., 0000) essentially provide no security.

18

Configure Bluetooth devices to delete PINs after initialization to ensure that PIN entry is required every time and that the PINs are not stored in memory after power removal.

Requiring PIN entry after re- initialization prevents the possibility of a PIN being recovered from the memory of a stolen device.

Operational Recommendations

19 Ensure that combination keys are used instead of unit keys.

The use of shared unit keys can lead to successful man-in-the-middle attacks.

20

Invoke link encryption for all Bluetooth connections regardless of how needless encryption may seem (i.e., no Security Mode 1).

Link encryption should be used to secure all data transmissions during a Bluetooth connection.

21

Ensure that encryption is enabled on every link in the communication chain.

Every link should be secured because one unsecured link results in compromising the entire

communication chain. 22

Make use of Security Mode 2 in controlled and well-understood environments.

Security Mode 2 provides authorized access to services.

5-20

Checklist Security Recommendation Security Need, Requirement or

Justification _mended Recom- Practice

Should

Consider Status

23 Ensure device mutual

authentication for all accesses.

Mutual authentication is required to provide verification that all devices on the network are legitimate.

24

Enable encryption for all broadcast transmissions (Encryption Mode 3).

Broadcast transmissions secured by link encryption provide a layer of security that protects these

transmissions from user interception for malicious purposes.

25 Configure encryption key sizes to the maximum allowable.

Using maximum allowable key sizes provides protection from brute force attacks.

26 Establish a “minimum key size” for any key negotiation process.

Establishing minimum key sizes ensures that all keys are long enough to be resistant to brute force attacks. Preferably 128-bit key sizes should be used.

27

Ensure that portable devices with Bluetooth interfaces are

configured with a password to prevent unauthorized access if lost or stolen.

Authenticating users to a portable Bluetooth device is a good security practice in the event the device is stolen, which provides a layer of protection for an organization’s Bluetooth network.

28

Use application-level (on top of the Bluetooth stack) encryption and authentication for highly sensitive data communication.

Application-level encryption and authentication provide security on top of the Bluetooth link encryption; the overlay increases the security of communication.

29

Use smart card technology in the Bluetooth network to provide key management.

The use of smart card technology can simplify the distribution and management of keys while maintaining strong security.

30

Install antivirus software on intelligent, Bluetooth-enabled hosts.

Antivirus software should be installed on a Bluetooth-enabled host to insure that known viruses are not introduced to the Bluetooth network.

31

Fully test and deploy Bluetooth software patches and upgrades regularly.

Newly discovered security vulnerabilities of vendor products should be patched to prevent malicious and inadvertent exploits. Patches should be fully tested before implementation to ensure that they work.

32

Deploy user authentication such as biometrics, smart cards, two- factor authentication, or PKI.

Implementing strong authentication mechanisms can minimize the vulnerabilities associated with passwords and PINs.

32

Deploy intrusion detection agents on the wireless part of the network to detect suspicious behavior or unauthorized access and activity.

Intrusion detection agents (e.g., host-based or network-based agents) deployed on the wireless network can detect and respond to potential malicious activities.

Checklist Security Recommendation Security Need, Requirement or

Justification _mended Recom- Practice

Should

Consider Status

34

Fully understand the impacts of deploying any security feature or product prior to deployment.

To ensure a successful deployment, an organization should fully

understand the technical, security, operational, and personnel requirements prior to implementation.

35

Designate an individual to track the progress of Bluetooth security products and standards (perhaps via the Bluetooth SIG) and the threats and

vulnerabilities with the technology.

An appointed individual designated to track the latest technology enhancements, standards (perhaps via Bluetooth SIG), and risks will help to ensure the continued secure use of Bluetooth.

36

Wait until future releases of Bluetooth technology incorporate fixes to the security features or offer enhanced security features.

Upgrade to the latest versions and avoid purchasing the versions of the Bluetooth products with major security vulnerabilities that have not been fixed.

A-1

In document Wireless Network Security for IEEE a/b/g and Bluetooth (DRAFT) (Page 74-82)